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-Abstract- 

We propose a presentation of classical propositional tableaux elaborated by application of meth¬ 
ods that are noteworthy in program design, namely program derivation with separation of con¬ 
cerns. We start by deriving from a straightforward specihcation an algorithm given as a set of 
recursive equations for computing all models of a hnite set of formulae. Thereafter we discuss 
the employment of data structures, mainly with regard to an easily traceable manual execution 
of the algorithm. This leads to the kinds of trees given usually as constituting the tableaux. The 
whole development strives at avoiding gaps, both of logical and motivational nature. 

[T] Introduction 

We teach a course Logic for Computing in a Software Engineering programme of studies. 
Prior to this, students have received courses in Calculus, Algebra and introductory Program¬ 
ming in Java, plus a course called Foundations of Computing, which introduces polymorphic, 
higher-order functions and inductive types with the fundamental methods of induction and 
recursion in their various forms. Foundations of Computing makes emphasis on a mathem¬ 
atical approach to Programming, specifically on correctness proofs. Logic for Computing, in 
turn, concerns itself essentially with the notion of formal proof. 

It follows from the foregoing that we should be very much interested in making explicit 
methods of proof. By this we mean both general strategies for developing and fully under¬ 
standing solutions to problems, as well as manners of presenting the corresponding proofs 
which convey natural, concise and complete justifications of their design. Now, as it turns 
out, we have observed that some methods that have arisen within what could be called the 
science of Programming can be employed for obtaining or conveniently presenting mathem¬ 
atical results. This is to our mind a fact to be most welcome, for it exposes a unity of method 
between Programming and Mathematics that cannot but bring about positive outcomes for 
both sides, at least in as much the learning and teaching aspects are concerned. 

In this paper we present an example of the latter, concerning the presentation of the 
method of tableaux. This is a proof procedure for both propositional and predicate logic 
dating back to [T] and [5], and whose ultimate variant (termed analytic tableaux) has been 
introduced in |Sj. Specifically, what we do is: (I) We derive the method as a set of equa¬ 
tions —to be used as rewriting rules— from a straightforward specification, namely the one 
demanding the computation of the set of all models of the given set of formulas. (2) We 
discuss the design of data structures for actually effecting and keeping trace of the execution 
of the method, which leads to the sorts of trees that are called “the tableaux” in textbooks. 
The first part yields a compact proof of the correctness of the method, much simpler than 
the ones in textbooks. The second part introduces the convenient and classical notation 
and establishes its correctness relating it to the set of equations originally given by a simple 
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inductive argument. As a whole, the process is one in which we repeatedly employ simple 
techniques of program derivation and separation of eoncerns to obtain a presentation and 
justification both modular and simpler of the method of tableaux. 

The rest of the paper consists of a general background section whose contents is assumed 
to be taught priorly to the study of tableaux. In section 3 we present the derivation of the 
equational algorithm calculating the set of all models of given set of formula. In section 
4 we discuss the data structures for tracing the execution of the algorithm, leading to 
the usual presentations of tableaux, after which we finish up with a general discussion. 
The presentation is to be read basically as a concise course handout, with some explicit 
considerations of logical or didactic nature. 


Background 

Syntax. It is enough to consider the set of connectives {-i , A}. Then the set of formulae is 
defined as usual, starting out from a denumerable set V of propositional letters p: 
a, P ::= p | | a A /3. 

We use signed formulae a ::= Sa where S ::= F | T, as the forms of assertion or judgement^ 
Semantics. Interpretations belong in 1= V —>■ Bool. The semantic value of each formula 
is defined as follows — let A be the set of formulae and (!) and (&&) denote respectively 
Boolean negation and conjunction: 

LI- :: Bool 

IpF = ^p 
Laf = ! H* 
laAPf = {afkklPf. 

Using the former we now define truth of an assertion (signed formula) in an interpretation. 
Call S the boolean value corresponding to sign S. Then i ^ Sa = |q;]® = S, which reads: i 
is a model of Sa, and also: i satisfies S'a or S'a is valid in i. We shall consider finite sets 
r of signed formulae and define models thereof (i.e. i ^ T) as the interpretations satisfying 
every formula of T. 

Truth in an interpretation. It is generally interesting to develop a method for checking 
truth of signed formulae in an interpretation. If we start with the propositional letters, we 
get: 

^ |_ — (model of signed formula) 

IpJz S — function) 

ip = S. 

For the other cases we wish to obtain (structurally) recursive equations. As to negation, 
writing S the sign opposite to S, we obtain: 

^ |_ — (model of signed formula) 

_ S — function) 

! |ctj^ _ S — ('^^S^ting both sides to isolate |a]*) 

|Q,Ji = ! 5 = (opposite sign) 

|q,J 2 ~S — signed formula) 

i \= S a. 

Finally, turning to conjunction: 

^ |_ p'j =r (model of signed formula) 


1 


The use of signed formulae avoids privileging one boolean value over the other and consequently sim¬ 
plifies definitions. 
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|o; A /3J* _ S — function) 

[af && IPf = S, 

where we seem to get stuck. Indeed, to rewrite the left hand side requires to consider the 
definition of (&&) and this is not uniform with respect to truth and falsity. Therefore we 
are led to try instead distinguishing the cases of S: 

Case T: 

|_ = (calculation above) 

laf && IPf = True = (definition of &&) 

|af = True = True = (satisfaction) 

i\=TaAi\=Tp. 

Case F: 

^ p^Q/ /\ p'j = (calculation above) 

laf && IPf = False = (p^p^V of &&) 

|af = False V |/3f = False = (satisfaction) 
i\=fa\/i\=Fp. 

Ultimately, we arrive at the following characterisation of the satisfaction relation: 

Signed letter : = ip = S 

Signed negation : i ^ S' (“> 0 :) = i \= S a 

True conjunction : i\=T{a A jT) = i^TQ!A*|=T,S 
False conjunction : i ^ F{a A/3) = F,5. 


["3"! The Set of All Models 

We now set ourselves the problem of computing all models of any given finite set F of signed 
formulae. This is accomplished by the function 

M{T) = {i€l\i^T}, 

where E is the set of signed formulae, V is the power set operator yielding the set of subsets of 
given set, and Vf\n does the latter for the finite subset^ Now this straightforward definition 
presents the inconvenience that, as a method of computation, it obliges to construct all the 
interpretations and check each of them against the formulae in F. We are rather in the 
search of a syntactic procedure, i.e. one that applied exclusively to the formulae in F ends 
up arriving at the desired set of models. Let us then examine F. 

First of all, F could be empty, which is indeed a plainly uninteresting case. Indeed, every 
interpretation trivially satisfies the empty set of formulae and so the result in such case is 
I. So let us assume V f %. If this is the case, then we can pick any one of the formulae a 
in F and write the latter in the form A | u, which means that F = A U u and u ^ A. Given 
the former, we can now write: 

7\d(r) = (®p^‘* 

M{A\a) = (fi®finition of M) 

^ ^ I ^ ^ I _ (satisfaction of a set of formulae) 


^ We distinguish A from A, the first being the conjunction in the object language, the second being the 
conjunction in the meta-language. Likewise with V and V. 

^ Our use of “computing” seems at first generous indeed, since we are setting ourselves to generating 
in general infinite sets of infinite objects. Consider for that matter the case L = {p}. Then any 
interpretation assigning True to p is a member of the answer set. We shall see later how to settle 
this issue in detail —the general idea is to give a finite sufficient characterisation of infinite sets of 
interpretations. 
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{i & I \i\= AAi ^ a}. 

The only source of information in the latter expression is the analysis of the form of a, 
and so we are led to an examination of cases, i.e. to considering: 

At (A I S' p) = {t G T I i 1= AAi ^ S p}, 

M (A I S (^a)) = {i G 11 * 1= AAi |= S (^a)}, 

At (A IS (a A /3)) = {t G 11 i h AAi h S' (a A (3)}. 

We can make profit of this analysis by using the results obtained at the end of the preceding 
section for checking the truth of signed formulae in a given interpretation. As it happens, the 
first case is a bit discouranging, for the satisfiability condition i \= Sp takes us to consider 

the value of p in the given interpretation, i.e. a semantic rather than a syntactic move. But 

it pays off to insist. Negation gives the following: 

At (A I S (-«))= above) 


{z € X I 7 1= AAz 1= 5'(^a)}= of signed negation) 

^ ^ I ^ |_ 1^ _ (satisfaction of a set of formulae) 

G I I i h A,Sa}= (definition of M) 


M{A,Sa), 

where we have used (,) instead of (U) for set union. Notice that it is indeed this operation 
and not the formerly used split (|) which is to be employed in this case, for we do not now 
know whether the formula S a belongs or not to A. The equation thus obtained, namely 
M {A\S i^a)) = M {A,Sa), 

is very convenient, for it rewrites the desired set of all models into an expression in which 
the overall complexity of the formulae has been strictly decreased. The same works for 
conjunction, whose results with respect to satisfiability can be used by distinguishing the 
two cases of the sign affecting it: 

M (A |T(a A f3)) = above) 

{i el \i\= AAi ^ T(a A /3)} = of conjunction) 

{i el \ i \= AAi ^ T aAi ^ T /3} = (satisfaction of a set of formulae) 

G I I f h A, T a, T /?} = (definition of M) 


At (A,Ta,T^). 
On the other hand: 


M (A I F(a A /?)) = (inferred above) 

{i el \i\= AAi \= F{a A 13)} = e°njunction) 

i ^ AA(i ^ FaVf h F/?}) = (distributingmover-®^ 

(i 1= AAi ^ Fa)v(i |= AAi \= Fa)} = (tradingwfor U out of set comprehension) 
i \= AAi h F a} U {l G I I f 1= AAi \= F 13} = (satisfaction of a set of formulae) 
i \= A,F a} U {i e I \ i \= A,F 13} = (definition of M) 

At (A,Fa)UAf (A,F/3). 

As a result we have so far obtained: 


{iei 

{iel 

{iel 

{iel 


M{A\S{-^a))=M{A,Sa) 

A( (A I T(a A ^)) = A( (A, T a, T/3) 

At (A I F(a A/?)) = At (A, Fa) U At (A, F/3), 

where the case of a signed letter, i.e. a literal, could not be included. Now taking a look at 
the preceding equations for At, we readily realize that the missing case is actually that of 
a set not containing any composite formulae, i.e. that of a set of literals. Such is the base 
case of our recursion, since this proceeds by decreasing the size of the formulae of the set 
being treated —and not the size of the set itself. Therefore it is natural to wonder whether 
the solution of such base case could actually be just immediate. This is indeed the case. 
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r = 


because there is a straightforward manner of converting a set T of literals into the set of all 
its models. There are two cases: 

I> r contains pairs of opposite literals. Then it is inconsistent and the set of its models is 0. 
I> Otherwise the models of T are the interpretations that coincide with T at the letters 
mentioned in it. 

Formally, call F the set of all models of the set F of literals. It is defined as follows: 

0 if p, ^ p} C F for some p, 

{i G2 \ (yS p S F) ip = ,§} otherwise. 

Notice that the alternative is decidable and that in the second case the result is sufficiently 
characterised by the set F of literals and so we get a finite representation of it. We can then 
put together equations for actually computing M: 

M(A|T(aA/3)) = Ad(A,Ta,T/3) 

M(A|F(aA/3)) = M(A,Fa)UM(A,F/?) 

M (A 15 (-a)) = Ad (A, 5 a) 

Ad(r) = f if F is a set of literals. 

We claim that Ad captures the essence of the method of tableaux, and the derivation 
carried out above gives actually a quite simple proof of its correctness. Nevertheless, its 
actual execution needs to employ some kind of data structure to record the successive trans¬ 
formations leading to the final result. That is what we turn now to examining. 


[~^ Data Structures for the Tableaux 

List of lists. If we ignored the second equation above we would be in presence of a tail- 
recursive algorithm, i.e. one whose execution could consist merely in successively rewriting 
the finite set of formulae at hand. We would then do simply with a list of formulae from 
which we would choose the next formula to be transformed. Now, consideration of the 
second equation does not in principle introduce any dramatic modification of this situation: 
it is enough that each application of the equation produces a split of the list from which the 
formula F(q! A/3) is taken into two lists, each of it containing exactly one of the two formulae 
Fa and F/3 in place of the original one, without any further change. 

We illustrate this by means of an example. Suppose we consider F = )T(p A ' q)T(pAq)], 
which we already make into a list of formulae (as indicated by the use of the [...] notation). 
Then we may choose say the second formula to proceed, which leads us to employ Ad’s 
second equation splitting the original list into two, yielding [T (p A^q),Fp],[T(pA^q),Fq]. 
In the next step we may choose any one of the two occurrences of the only composite (i.e. 
non-literal) formula. Say we take the left one. The equation to employ is Ad’s first, yielding 
[Tp,T(-q),Fp],[T(p A ^q), Fq]. Of course we may do the same with the right occurrence 
of the formula just considered, arriving at [Tp,T(^q), Fp], [Tp,T(^q), Fq]. We now are left 
only with the two occurrences of T(^q) to treat, which we must do in two steps using the 
third equation of Ad. We write the final result at once: [Tp, Fq, Fp], [Tp, Fq, Fq]. Clearly 
the first set of literals is unsatisfiable which, by the way, we could have noticed some steps 
earlier, thereby obtaining a less expensive development. The second set is just {Tp, Fq} and 
characterizes all the models of the original F. 

There seem to be three inconveniences as to this execution. The first is that we have 
treated one and the same formula twice, and that on two different occasions. One readily 
realizes that the issue is avoidable if the use of the branching equation corresponding to a 
false conjunction is always subsequent to the use of every other (non-branching) equation 
formerly applicable. The second inconvenience is that we have rewritten many a formula 
that was without change. And, finally, the execution is awkwardly traceable —we have 
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namely indicated the successive steps taken by means of narrative text interspersed in the 
successive rewritings. The latter is of importance when we consider executions by hand — 
then a more formal and easily checkable notation would be most welcome by both students 
and teachers. We shall consider these two remaining issues in the next two subsections, 
beginning with the latter about an easily traceable notation. 

Tree of lists. The straightforward manner of making executions like the former traceable 
and easily verifiable is just to record the application of each rule, including mention to the 
formula used. We should therefore begin by naming the equations of the algorithm, say 
TA, Fa, ^ and I in the order in which they are written above. The procedure leads to the 
deployment of a tree structure whose nodes are lists of formulae as in the preceding section, 
and whose internal nodes (not leaves) are decorated by labels as explained presently: 

0. To begin with, we have only one item, namely the original list of formula. This is of 
course a tree with only one terminal node (leaf). 

1 . At each step we choose a composite formula within a leaf (call this leaf C) and apply the 
corresponding rule as already explained. As a result one or two new lists of formulae are 
obtained, which are linked to £, becoming successors of C in the tree. At the same time 
we label £ with the name of the equation and the formula used. 

The leaves of these trees coincide with the lists of formulae obtained by the procedure 
explained in the preceding paragraph —we have only added a tree structure on top of 
them for tracing their computation. Therefore, the set of models of the root of the tree 
obtains as the union of the sets of models of the leaves. Formally, this much becomes clear 
after the consideration that the union of the sets of models of the leaves, and therefore 
the invariant just mentioned, are indeed preserved by each application of one equation as 
described above. Therefore the correctness of the computation procedure using these trees 
follows by straightforward mathematical induction. The right formulation and proof of this 
result is left as exercise. 

Notice that the preceding description amounts to inductively defining these trees as a 
family 7~(r) indexed by the finite sets F in a manner such that the constructors stand in 
correspondence with the equations as named above, in the following manner: to internal 
nodes, constructors TA, FA and ^ are associated, corresponding to the equation used in 
each case. The leaves are the as yet untreated nodes or those already formed by literals 
only. In either case we associate to the leaf the constructor I. Unfortunately, we must skip 
a detailed explanation for reasons of space. 

Tree of formulae. The repetition of possibly large lists of formulae along the trees as 
introduced in the preceding section can be avoided, e.g. by employing the procedure de¬ 
scribed in [3]. We describe these less expensive trees as follows. The general idea is to write 
at each node of the tree different from the root only the formulae originated by the use 
(decomposition) of another formula. The root of the tree will contain the originally given 
set (list) of formulae. With this information it is possible to compute the full trees of the 
preceding paragraph provided the used formulae are recorded at each step, i.e. at each node. 
Therefore, the correctness of the present method with improved trees will follow from the 
correctness of the prior method. Specifically, we define the improved trees as follows: 

1 . Each node will have associated an explicit set E and an implicit set F of formulae. E is 
to be written down explicitly, whereas F is to be computed when necessary. 

2. For the root of the tree, both E and F coincide with the originally given set of formulae. 

3. For the other nodes, E will consist of one or two formulae. 

4. All internal (i.e. non-leaf) nodes will also have associated one formula, to be called the 
one used at the node. 
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We now indicate how to extend the tree down from a leaf: 

1 . A formula in T is chosen and written down at the node as its used formula. 

2. Then one proceeds according to the form of the chosen formula: 

a. In case it is of the form T (a A /3) then the tree is extended with one child node. For 
this new node, E = {T a, T/^}. 

b. In case it is of the form F (a A /3) then the tree is extended with two children nodes. 
One of them will have E — {V a] , whereas the other one will have E — {F /3}. 

c. Finally, in case the chosen formula is of the form S (^a) then the tree is extended 
with one child node having E = {S'a}. 

For every case of newly created node, the set F is computed as follows: If Fg is the 

implicit set of the parent node, then F = (Fg — u) U A, where — denotes deletion of a 

member in a set. 

Now, to each improved tree t with a non-leaf root which has associated explicit set E 
and implicit set F of formulae, as well as used formula a, a full tree of type T(F) can be 
associated, whose constructor is the one corresponding to the form of a, i.e. TA, FA or 
and its children trees are the ones (recursively) corresponding to the children trees of t. If 
otherwise t is just a leaf, then its corresponding full tree is 1(F), where F is the implicit set of 
formulae of the leaf in question. This correspondence gives already a method for using the 
improved trees in order to compute all the models of any given set of formulae. Nevertheless, 
the following result makes such process easier: The implicit set at each leaf is the union of 
the explicit sets at the branch ending up at the leaf in question, minus those formulae that 
have been used on that branch. Thereby one can determine when a branch is completed, 
which happens when the implicit set at the corresponding leaf is a set F of literals. Further, 
then F is the corresponding set of models, and one can then compute the set of models of 
the whole tree (i.e. of the originally given set of formulae) by taking the union of the sets 
at each leaf, just as with the full trees. 

[~5l Conclusions 

We have put forward a presentation of classical propositional tableaux elaborated by ap¬ 
plication of some principles that are noteworthy in program design. Foremost among those 
principles is the one of separation of concerns: We have namely started by deriving from 
a straightforward specification an algorithm given as a set of recursive equations for com¬ 
puting all models of a finite set of formulae. The correctness of the algorithm is brought 
about hand-in-hand with its derivation by means of a basic inductive argument whose cases 
are each solved by calculational reasoning yielding identities between sets of interpretations 
that need not the usual “ping-pong” (or direct-and-converse) argument. 

Thereafter we discussed the employment of data structures, mainly with regard to a 
manual execution of the algorithm. A requirement of natural traceability and verification 
led us to the trees of sets or lists of formulae presented in [DS!> the correctness of which 
is immediate after their derivation as traces of the employment of the original equations. 
A further improvement avoids repetition of unmodified formulae giving rise to the trees 
presented in [3], whose correctness is in turn guaranteed by showing that they carry the 
same information as the former trees. 

Smullyan’s classical presentation [3] introduces instead the method as a proof procedure 
for establishing unsatisfiability of (finite) sets of (signed) formulae. The tableaux are given 
directly in the form of our improved trees of formulae. The proof of correctness is then 
as usual composed by two arguments, one of soundness and one of completeness, to the 
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effect that unsatisfiable sets give rise to closed tableaux, i.e. one in which every branch 
contains a contradiction and thus has no model. The proof of soundness is by a quite direct 
tree induction, whereas the proof of completeness involves showing that an open completed 
branch, i.e. one in which every formula has been fully decomposed, is a Hintikka set. Besides, 
Hintikka’s lemma is proven, to the effect that every Hintikka set has a model. 

In our experience, the use of the method as in the classical presentation leads students to 
the realisation that they either prove the given set of formulae inconsistent or can compute 
every counter-example (i.e. a sufficient characterisation thereof). Subsequently they tend to 
ask why we cannot establish such fact as a meta-theoretical result. Our presentation does 
precisely that —and the correctness of the method as a proof procedure follows as immediate 
corollary. The idea of computing all models of the given set of formula has led us to give an 
abstract formulation of the procedure. We then treat as a separate matter the question of 
the concrete trace of the manual execution of the method. As we have been able to check, 
this treatment provides the students with improved command over the method, i.e. they 
exercise a more sound domain over what they are doing and also over the various possible 
notations or manners of justification they can give thereof. 

It could be argued that Smullyan’s presentation and proof is scalable to infinite sets of 
formulae and first-order-logic, and therefore ask about such feature regarding our present¬ 
ation. Concerning infinite sets of formulae, the first thing to say is that the validity of 
our equations is certainly not affected. Nevertheless, they cannot of course be interpreted 
anymore as an algorithm. Even if we assume as usual a principle of omniscience concern¬ 
ing the infinite sets, the method of choice of the formulae to be succesively decomposed by 
application of the equations is essential for getting the right result. But, as is the case also 
with the classical presentation, there exist method of orderly choice that guarantee (under 
the ominiscience principle) the computation of all models and thus the correctness of the 
method. Generalisation to first-order logic, on the other hand, requires to abandon the idea 
of “computing all models”, replacing it by e.g. “determining whether the set of formulae is 
or not (un)satisfiable”. 

We conclude that our presentation may contribute in a better way to the achievement 
of projficiency with understanding, which is our main learning objective. Also it emphasizes 
design methodology, which we strive to do along and across the whole of the program of 
studies. It also could be argued that the method is tailored to just students of Computing 
Science or Software Engineering. We however believe that it can be taught also without 
much difficulty to Mathematics or Philosophy students and that the advantages we claim 
to obtain can also be appreciated in such cases. This, however, is yet to be checked out. 

Finally, we should like to think of this work as one interpretation and case of the disclosing 
of the “doing” of Mathematics as advocated by Dijkstra j5]. We have tried to avoid all gaps 
of both mathematical and motivational nature. To our mind, this case is yet another sample 
of the unity of structure and method that mathematics and programming shar^ Exploiting 
such unity should be fruitful for improving understanding and thus better helping learning. 
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And that at a deeper level shows up in the propositions-as-types principle. 
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